Configuring Security After Upgrade
You can make a few changes that will further tighten security for MOM, if your security policies require it.
DAS Account
If you used the same DAS account used for MOM 2000 SP1 when you upgrade to MOM 2005, MOM will not change the existing DAS accounts privileges and group assignments from the settings in MOM 2000 SP1. These privileges are higher than are required for MOM 2005 and you can change them without affecting how MOM 2005 functions. These settings are:
Table 3 Privileges Required for the DAS Account in MOM 2005
Privilege |
MOM 2000 |
MOM 2005 |
|---|---|---|
Local administrator rights |
YES |
NO |
Act as part of the operating system |
YES |
NO |
Create a token object |
YES |
NO |
Log on as a batch job |
YES |
NO |
Log on as a service |
YES |
YES 1 |
Domain account |
YES |
YES 2 |
In System Administrator Role in SQL Server |
NO |
NO |
Member of MOM Users Group |
YES |
YES |
Member of MOM Service Group |
N/A |
YES 3 |
Db_owner access to the OnePoint database |
YES |
YES |
YES - The DAS account must have this privilege in specified release of MOM
NO - The DAS account does not require this privilege in specified release of MOM
1 - Only required if the MMPC is installed on the Management Server.
2 - If the DAS and the MOM Database are on the same computer, the Local Service account can be used (or Network Service on Windows Server 2003).
3 - Only if MMPC is installed.
DAS and Local Administrator Are Members of All MOM Groups After Upgrade
The DAS account and the local administrator account memberships are also copied over from their MOM 2000 SP1 equivalents. This means the DAS account and the local administrator are a member of the new MOM 2005 security groups (e.g. MOM Administrator, MOM System, MOM Author, MOM User). Because MOM 2005 only requires the DAS account to be a member of the MOM Users group, you can remove the DAS account from the other groups, and the local administrator account from all of the groups (unless you require it to be there).
To change which account is used for the DAS, you must do the following:
Make the new account a member of the MOM Users group on the Management Server.
Add it to the SQL Server "db_owner" role in the OnePoint database.
Make the account a SQL Server Security Login with "Permit" server access.
For more information about the DAS account, see the "MOM Database and Reporting Database Security" section in this guide.
Enable Mutual Authentication
After you have upgraded the entire management group, you can enhance security by enabling mutual authentication and blocking legacy agents. Mutual authentication is a management group-wide setting and cannot be overridden. When you enable the Require mutual authentication setting, the Block Legacy Agents setting is also automatically enabled.
Block Legacy Agents
After you have upgraded the entire management group, you can enhance security by blocking MOM 2000 and MOM 2000 SP1 agents from communicating with the Management Server by enabling the Block Legacy Agent setting. This setting is automatically enabled if you enable mutual authentication, but can be enabled even if mutual authentication is not. Block Legacy Agents is a management group-wide setting and cannot be overridden.
Agent Proxying
This setting either enables or blocks agents from relaying information from other computers or network devices to the Management Server. This setting is management group-wide, but can be overridden on individual agents.
You might want to block agent proxying to prevent attackers from using a lower-security device or computer to send data to a Management Server.
Updating Agent Settings
The communications port, mutual authentication settings and other configuration settings must be changed on the agents after the upgrade process is finished. You can change these settings on any upgraded agents by using the Update Agent Settings dialog box. Or by using Add or Remove Programs on the managed computer as defined by the "To update an agent outside a firewall" procedure in this guide.
Important
If you want to use a separate account for each agents Action Account, you cannot select multiple agents and use the Update Agent Settings dialog box. You must use the dialog with each agent individually.
You cannot use the Management Server to change settings on agents outside a firewall, in a non-trusted domain or workgroup, or which have their Control Level set to "None". To change these settings on such agents, see the "To update an agent outside a firewall" procedure in this guide.